[Oisf-devel] Logging

Victor Julien victor at inliniac.net
Mon Aug 23 09:37:56 UTC 2010

m wrote:
> I have an issue with Suricata logging.
> As part of my firewall I have Suricata configured as an IPS and my rules 
> mix DROP and ALERT actions.
> For efficiency I only use the default fast.log.
> I do see rules fire.
> 2010-08-05 11:34:56    suricata:    08/05/10-15:34:54.679423 [**] 
> [1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**] 
> [Classification: Potentially Bad Traffic] [Priority: 3] {6} 
> 61.xxx.52.98:6000 -> 192.168.xxx.xxx:1433 [Xref => 
> http://doc.emergingthreats.net/2010935][Xref => 
> http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DB_Connections]
> So with that log info, tell me what happened; was the packet sent on to 
> the server or dropped?  Right, this does not show disposition.
> Looking a little deeper, I don't see any option for logging the action.

The example you posted is from our fast.log, which is meant to be
compatible to Snort's alert fastlog. I believe Snort adds [drop]
somewhere on the line. You are correct that we don't have that in
Suricata yet. Adding it should be pretty trivial. The packet structure
contains an 'action' field, that can be checked as follows.

if (p->action & ACTION_DROP) {
  // pkt was dropped

> /* The different log format specifiers supported by the API */
> #define SC_LOG_FMT_TIME             't' /* Timestamp in standard format */
> #define SC_LOG_FMT_PID              'p' /* PID */
> #define SC_LOG_FMT_TID              'i' /* Thread ID */
> #define SC_LOG_FMT_TM               'm' /* Thread module name */
> #define SC_LOG_FMT_LOG_LEVEL        'd' /* Log level */
> #define SC_LOG_FMT_FILE_NAME        'f' /* File name */
> #define SC_LOG_FMT_LINE             'l' /* Line number */
> #define SC_LOG_FMT_FUNCTION         'n' /* Function */

Actually this is part of Suricata's internal logging subsys, for
communicating errors, debug msgs, and such. It's not used by the alert
fast log module for writing out the log lines.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list